Many of my friends and colleagues where in Sao Paulo last week for
NETMundial, the Multi-stakeholder Meeting on the Future of Internet
Governance. Dilma Rousseff, President of Brazil, convened this
initiative to "focus on principles of Internet governance and the
proposal for a roadmap for future development of this ecosystem."
NETMundial was originally motivated by revelations from Edward Snowdon
about mass surveillance conducted by the US and UK governments,
including spying on President Rouseff herself. These revelations
prompted Mrs Rousseff to state "In the absence of the right to privacy,
there can be no true freedom of expression and opinion, and therefore no
effective democracy" in a speech to the UN at the 68th General Assembly.
Yet, as important as Internet governance is for our future, and as
valuable any effort to address this is, it is unlikely to do much, if
anything, about the right to privacy online. Why? Because surveillance
is not an issue of Internet governance, but of the way the Internet is
financed. The vast amount of consumer data amassed by private companies
like Google, Facebook and Verizon is not the result of IANA or ICANN
policy, but of the business models of these companies which seek to
generate profits by way of this data. It is inconceivable that these
companies could amass such vast amounts of consumer data, use it for
marketing purposes, sell and share access to it with other companies,
and yet, somehow keep it out of the hands of the NSA and similar
intelligence agencies. Likewise, the extraordinary hacks, mods and
exploits the NSA has conducted, as revealed by Snowdon, would not be
thwarted by any IANA regulation. Aggression by the US is not an Internet
problem, and Internet governance can not do away with it, any more that
it can do away with drone strikes and regime change projects.
Yet, there is lots that governments can do to ensure the right to
privacy, and they can do so today, even absent any change in global
Internet governance.
Governments have the ability to regulate the way Telecomms and Internet
companies operate within their countries, indeed, the government is no
stranger to creating regulation. Government regulation ensures buildings
are built correctly, structurally sound, follow the fire code, etc.
Governments create rules that make sure highways, roads, and sidewalks
are used safely. Governments pass laws to prevent consumers from being
defrauded, create statuary warranties, labour standards, regulate
broadcast media, etc. Governments can pass regulations to protect the
right to privacy. The idea that the Governments such as Brazil, Germany
and the others participating in NETMundial need reforms to IANA and
friends before they can work towards guaranteeing their own citizens'
right to privacy is absurd.
To guarantee the right to privacy, communication systems must implement
the end-to-end principle, which states that functionality ought to
reside in the end hosts of a network rather than in intermediary nodes.
The term "end-to-end" principle was coined in a 1981 paper by J.H.
Saltzer, D.P. Reed and D.D. Clark at the MIT Laboratory for Computer
Science, "End-to-End Arguments in System Design," in which they
specifically address privacy.
In the section titled "Secure transmission of data," the authors argue
that to ensure "that a misbehaving user or application program does not
deliberately transmit information that should not be exposed," the
"automatic encryption of all data as it is put into the network [...] is
a different requirement from authenticating access rights of a system
user to specific parts of the data." This means that to protect the
users' rights to privacy, it is not sufficient to encrypt the network
itself, or even the platform, as this does not protect against the
operators of the network, or other users who have access to the
platform. What is needed, the authors argue, is the "use of encryption
for application-level authentication and protection," meaning that only
the software run by the user on the end-node, or their own personal
computer, should be able to encrypt and decrypt information for
transmission, rather than any intermediary nodes, and only with the
user's own login credentials.
The end-to-end principle is a key concept in the design of the Internet
itself, the underlying "Transmission Control Protocol," one of the core
protocols of the Internet protocol suite (TCP/IP), exemplifies the
end-to-principle, and allows applications running on remote nodes to use
the Internet for the reliable communication of arbitrary data across the
network, without requiring any of the intermediary nodes to know or
understand the purpose of the data being transmitted.
In principle, therefore, there is absolutely nothing technically
stopping everybody from employing private communications on the
Internet. So then, how do we get into this mess we're in now? Why did
the Internet, which has the end-to-end principle in it's core
architecture, become host to the most large scale mass surveillance in
history?
Two reasons: Capitalism and IPv4. Let's start with IPv4.
Internet Protocol Version 4 (IPv4) was created in 1981, the same year
the Saltzer, Reed, and Clark paper was published. IPv4 provides
approximately 4.3 billion addresses, which sounds like a lot, until you
realize the every device that connects to the Internet needs at least
one. Running out was not presumed to be a big issue at the time, as this
version was originally presumed to be a test of DARPA's networking
concepts, and not the final addressing scheme for the global Internet.
In 1981 4.3 billion addresses seemed like an awful lot, but when the
public Internet began to take off in the Nineties, it became clear that
this would not be nearly enough. In 1998 RFC 2460 was released, this
document is the specification for IPv6, an addressing scheme that allows
for a near limitless number of addresses, trillions of trillions for
each person on earth. Yet, as NETMundial was taking place in Brazil,
nearly 16 years since the protocol was invented, Google reports that
about 3% of visits to its services use IPv6. The "World IPv6 Launch"
site, which promotes IPv6 adoption, estimates that more than half
Internet users around the world will have IPv6 available by 2018. In
other words, 20 years after the design of the protocol, nearly half of
all Internet users will not have access. It's important to note that it
is not hardware adoption that is holding things up, it's highly doubtful
that many device made in the last 10 years could not support IPv6, it's
rather that the owners of the networks do not configure their networks
to support it.
As everybody knows, 20 years is effectively infinity in Internet years.
With IPv6 a far away utopia, and with IPv4 addresses still the currency
of Internet service, NAT was developed. The vast majority of devices
available to users where not assigned public IP addresses, but only
private ones, separated from the public internet by "Network Address
Translation" (NAT), a system that allowed the sharing of public IP
addresses by many end-nodes, this was an effective solution to IPv4
address exhaustion, but introduced a bigger problem, the network was no
longer symmetric, software running on users' computers can reach central
Internet resources, but can not reach other users, who are also on
private address space, without some intermediary service providing
access.
What this means is that so long as users' are on private address space,
any communication system they use requires centralized resources to
bridge connections between users, and what's more, the scale of these
central resources must grow in proportion to the the number of users it
has. In order for the end-to-end principle to be respected, these
intermediary services need to support it.
And this where we get to to Capitalism part: Building, maintaining and
scaling these resources requires money. In the case of "web scale"
platforms, lots of money.
By and large, this money comes from Venture Capital. As Capitalists
must capture profit or lose their capital, these platforms require
business models, and while many business models are possible, the most
popular today, the one presumed to be the most lucrative by investors,
is big data. Thus, instead of respecting the end-to-end principle and
engineering functionality into the end hosts of a network, capitalists
instead only invest in applications where core functionality is built
into the intermediary nodes, that can capture user data and control user
interaction, which is how they make money.
Capitalist platforms grow and collect data around these intermediary
nodes in the same way the mould grows around leaky pipes. In order to
give alternative platforms that respect the right to privacy a fighting
chance and rid the Internet of the mould of centralize data-collecting
platforms, we must fix the pipes, we need to remove the asymmetry in the
network.
We can not allow private initiative alone to push adoption of IPv6, and
wait however many years or decades it takes to get it. If governments
want to promote their citizens right to privacy, they need to mandate
adoption of IPv6, to ensure their citizens are able to use software that
respects the end-to-end principle.
Here is a charter of rights that all Governments can provide to their
own citizens right now to promote the right of privacy:
- IPv6 connectivity with adequate public address space for all!
- At least one DNS Domain Name for every citizen!
- At least one Government signed SSL certificate for every citizen!
If each citizen had a public address space, a domain name and a signed
certificate, the leaky pipes of the Internet could be fixed, the
surveillance mould would dissipate, and new privacy-respecting
applications could flourish!
DEMAND IPv6 NOW!
Sharable Version:
http://www.dmytri.info/dear-netmundial-governance-is-cool-and-all-but-we-need-to-demand-ipv6-now/
# distributed via <nettime>: no commercial use without permission
# <nettime> is a moderated mailing list for net criticism,
# collaborative text filtering and cultural politics of the nets
# more info: http://mx.kein.org/mailman/listinfo/nettime-l
# archive: http://www.nettime.org contact: nettime {AT} kein.org